Linux Commando

This blog is about the Linux Command Line Interface (CLI), with an occasional foray into GUI territory.
Instead of just giving you information like some man page, I hope to illustrate each command in real-life scenarios.

Search This Blog

Wednesday, July 27, 2016

This post reviews ExpressVPN, a hosted Virtual Private Network (VPN) service. A hosted VPN service is a paid subscription service. With a VPN, all your Internet communication is encrypted and passed through a secure proxy (the VPN server) before continuing to the intended destination. To the rest of the world, the Internet traffic appears to come from the VPN server, not your home computer.

Why VPN?

Subscription to a VPN service provides many benefits. For a brief video introduction, please click here.

Anonymity and privacy

When you connect to the Internet, you are exposing yourself to the world of hackers and government spy agencies who want to track your on-line activities, and steal your private information.

Many people have misplaced their trust in the Internet Service Providers (ISP) to protect their on-line anonymity and privacy. It is generally well known that ISPs do log your Internet activities. They are obliged to hand over the data if they are subpoenaed by government authorities.

The tech savvy may run Tor, a popular security tool, on their home computers. But, running Tor by itself is not good enough. While the data is well protected, your ISP does know that you are using Tor. The mere usage of Tor may arouse suspicion and attract extra unwanted attention from the authorities.

By using VPN, all your Internet data and activities (including Tor usages) are protected, even from your ISP. The key is that the VPN vendor must not track your VPN traffic. This "no data logging" policy is written into ExpressVPN's terms of service agreement.

Breaking censorship

Even if you live in a democratic country, you may be subject to regional Internet restrictions. For example, I cannot watch NBC on-line because I live in Canada and they restrict access to American viewers only. Likewise, American viewers cannot stream hockey games from the Canadian CBC website.

With a VPN, you can break censorship by opening a VPN connection to a server located in the target country. For example, to watch the American NBC, I connect my computer to a VPN server located in the USA. In this way, my request to watch NBC is granted because it appears to come from an American location.

For better security and service to you, VPN vendors must deploy servers in as many cities and countries as possible. ExpressVPN's servers are located in 136 cities across 87 countries. This should cover the location requirement for most people.

VPN service features

Pricing & payment options

ExpressVPN's pricing is not the cheapest in the industry. However, it does offer a flexible term: you can sign up for 1 month, or you save money by committing for 6 or 12 months. All plans come with a generous 30-day money-back guarantee, and 7x24 live chat support.

I like the payment options that ExpressVPN offers. In addition to the major credit cards, ExpressVPN also accepts PayPal and Bitcoin. If you pay with a credit card, your identity is associated with your VPN account. On the other hand, you can buy bitcoins anonymously. If you pay with bitcoins which you purchased anonymously, you remain anonymous even to the VPN vendor.

Linux support

Many VPN vendors claim support for Linux. Windows users can download a VPN client which automatically configures your VPN connection. In contrast, the degree of Linux support is often in the form of instructions on how to manually set up a VPN connection.

ExpressVPN's Linux support is exceptional. You can download the VPN client for major Linux distributions such as Debian, Ubuntu, Fedora, and CentOS. You use the client for all your day-to-day VPN operations, such as connecting and disconnecting from the VPN, listing available servers, and reporting the connection status.

Installing ExpressVPN client

After you sign up for the service, download the VPN client according to the instructions in the official welcome email. You need to specify the Linux distribution before the download can proceed. For Debian or Ubuntu, select Ubuntu (there is no Debian option per se). Similarly, for Fedora or Centos, select Fedora.

It is also a good idea to download the VPN client's
signature file. For instructions on how to use the signature file to verify the client download, click here.

After you successfully download the client (expressvpn_1.1.0_amd64.deb), installing it is as easy as running the following command:

$ sudo dpkg -i expressvpn_1.1.0_amd64.deb

Next, you need to activate the VPN service. Note that you only need to do it once. You will be prompted to enter the activation code as provided to you in the welcome email.

$ expressvpn activate

You can download and install the VPN client on as many devices as you wish. But, you can only
have a maximum of 3 simultaneous VPN connections.

The next section explains how you will use the ExpressVPN client.

Useful commands

Note that I did not specify which VPN server to connect to. When you connect for the very first time and you do not specify the server, it will default to a recommended server, the 'smart' server, e.g., Montreal. In subsequent connections, it will default to the previous server.

What if I don't want to connect to the Montreal server? I live in Vancouver which is about 4,000 kilometres (or 2,485 miles) away from Montreal. So, I want to connect to a nearer server.

Performance test

A VPN service encrypts and reroutes your Internet traffic through the VPN server. Because of this indirection, it adds some level of overhead to the VPN speed performance.

To measure the performance overhead of ExpressVPN, I run the following tests.

Baseline (No VPN)

I run 3 tests without VPN, using speedtest.net. Each test measures the download and upload speeds. Results from the 3 tests are averaged and recorded in the row labeled 'No VPN' in the table below.

VPN connection to the nearest server (Seattle)

3 more tests were run with VPN connection to the Seattle server. Note that the download and upload speeds take a 21% and 18% hit respectively when you compare the results with tests performed without VPN. A drop in speed is unavoidable because of the inherent VPN performance overhead. This level of performance degradation is often acceptable to most users, and can be viewed as the cost of protecting your on-line privacy and anonymity.

VPN connection to the smart server (Montreal)

The Montreal server is located 4,000 kilometres (or 2,485 miles) away from Vancouver. In contrast, the Seattle server is only 200 kilometres (or 124 miles) away. In light of the greater distance, it is not surprising that the Montreal speed tests took a bigger hit than the Seattle tests.

VPN status

Ave download speed (Mbps)

Download speed penalty (%)

Ave upload speed (Mbps)

Upload speed penalty (%)

No VPN

26.73

N/A

6.69

N/A

Connected to USA - Seattle

21.10

21

5.49

18

Connected to Canada - Montreal

18.80

30

5.40

19

Summary & conclusion

Pros

Excellent Linux command-line interface

30-day money back guarantee

7x24 customer support via live chat or email

PayPal, Bitcoin and many more payment method options

Cons

Restricted number of devices for simultaneous connections

There are many VPN solutions in the market. But, if you are looking for Linux support, you should definitely give ExpressVPN a try. Linux power users will enjoy the use of the command-line VPN client.

Disclaimer

Linuxcommando was provided a free ExpressVPN subscription for this review.

Tuesday, January 26, 2016

Introduction

A modern server is typically multi-core, perhaps even multi-CPU. That is plenty of computing power to unleash on a given job. However, unless you run a job in parallel, you are not maximizing the use of all that power.

Below are some typical everyday operations we can speed up using parallel computing:

Backup files from multiple source directories to a removable disk.

Resize image files in a directory.

Compress files in a directory.

To execute a job in parallel, you can use any of the following commands:

Installation of GNU parallel

To install GNU parallel on a Debian/Ubuntu system, run the following command:

$ sudo apt-get install parallel

General Usage

The GNU parallel program provides many options which you can specify to customize its behavior.
Interested readers can read its man page to learn more about their usage. In this post, I will narrow the execution of GNU parallel to the following scenario.

My objective is to run a shell command in parallel, but on the same multi-core machine. The command can take multiple options, but only 1 is variable. Specifically, you run concurrent instances of the command by providing a different value for that one variable option. The different values are fed, one per line, to GNU parallel via the standard input.

The rest of this post shows how GNU parallel can backup multiple source directories by running rsync in parallel.

Parallel backup

The following command backs up 2 directories in parallel: /home/peter and /data.

Standard input

The echo command assembles the 2 source directory locations, separated by a newline character (\n), and pipes it to GNU parallel.

How many jobs?

By default, GNU parallel deploys 1 job per core. You can override the default usint the -j option.

-j specifies the maximum number of parallel jobs that GNU parallel can deploy. The maximum number can be specified in 1 of several ways:

-j followed by a number

-j2 means that up to 2 jobs can run in parallel.

-j+ followed by a number

-j+2 means that the maximum number of jobs is the number of cores plus 2.

-j- followed by a number

-j-2 means that the maximum number of jobs is the number of cores minus 2.

If you don't know how many cores the machine has, run the command below:

$ parallel --number-of-cores
8

Keeping output order

Each job may output lines to the standard output. When multiple jobs are run in parallel, the default behavior is that a job's output is displayed as soon as the job finishes. You may find this confusing because the output order may be different from the input order. The -k option keeps the output sequence the same as the input sequence.

Showing progress

The --eta option reports progress while GNU parallel executes, including the estimated remaining time (in seconds).

Input place-holder

GNU parallel substitutes the {} parameter with the next line in the standard input.

Each input line is a directory location, e.g., /home/peter. Instead of the full location, you can specify other parameters in order to extract a portion thereof - e.g., the directory name(/home) and the basename (peter). Please refer to the man page for details.

Summary

GNU parallel is a tool that Linux administrators should add to their repertoire. Running a job in parallel can only improve one's efficiency. If you are already familiar with xargs, you will find the syntax familiar. Even if you are new to the command, there is a wealth of on-line help on the GNU parallel website.

Friday, November 13, 2015

To a technical savvy person, hosting your own website on a VPS server can bring a tremendous sense of accomplishment and a wealth of learning opportunities. If WordPress is what you fancy, with a minimal monthly financial commitment, you can host a WordPress website on the LAMP platform (Linux, Apache, MySQL, PHP). For example, the entry-level, $5 per month plan offered by DigitalOcean, of which I am an affiliate, will give you a 512MB RAM, single-core VPS.

With such a small RAM capacity, you will need to optimize how your Apache webserver is configured to run PHP applications such as WordPress and Drupal. The goal is to maximize the number of concurrent web connections.

This tutorial details the Apache/PHP setup procedure on Debian 8.2, aka Jessie. The procedure assumes Apache is yet to be installed. However, if Apache2 is already installed, you will find practical information below on how to reconfigure Apache2 to run a different multi-processing module.

Background knowledge

According to a recent Netcraft webserver survey, Apache powers 46.91% of the top million busiest websites on the Internet. Busy websites mean many concurrent web connections.

Concurrent connection requests to Apache are handled by its Multi-Processing Modules. MPMs can be loosely classified as threaded or non-threaded. Older Apache releases default to a MPM named Prefork. This MPM is non-threaded. Each connection request is handled by a dedicated, self-contained Apache process.

Newer Apache releases default to a threaded MPM, either Worker or Event. The Worker MPM uses one worker thread per connection. One issue with this approach is that a thread is tied up if the connection is kept alive despite it being inactive.

The Event MPM, a variant of Worker, addresses the aforesaid keep-alive issue. A main thread is used as the traffic controller that listens for requests and passes requests to worker threads on demand. In this scenario, an inactive but kept-alive connection does not tie up a worker thread.

Note that MPMs are mutually exclusive: only 1 MPM can be active at any given time.

For the Prefork MPM, each spawned Apache process embeds its own copy of the PHP handler (mod_php). Concurrency in this model is limited by the number of processes that Apache can spawn given the available memory.

For both Worker and Event MPMs, PHP requests are passed to an external FastCGI process, PHP5-FPM. PHP-FPM stands for PHP-FastCGI Process Manager. Essentially, the webserver and the PHP handler are split to separate processes. Apache communicates with PHP-FPM through an Apache module, either mod_fastcgi or mod_fcgid. Optimizing concurrency in this model means configuring both the MPM and the PHP handler (PHP-FPM) to have pools of processes and threads to handle requests.

The rest of this tutorial covers the cases of installing the Event MPM from scratch as well as migrating to Event from the Prefork MPM.

Installing Apache2

This tutorial starts with the installation of Apache2. If Apache is already installed, you should find out which MPM is currently running using the command apache2ctl -V, and proceed to the next section.

The above output tells us that we are running Apache release 2.4. Beginning with 2.4, Apache runs the Event MPM by default.
If you are running an older version of Apache, the default MPM is either Prefork or Worker.

Configuring Apache2

Back up the Apache configuration file, /etc/apache2/apache2.conf.

$ sudo cp /etc/apache2/apache2.conf{,.orig}

Edit the configuration file.

Below is a subset of configuration parameters belonging to the Apache core module. You should adjust their values in order to optimize concurrency. The corresponding values are what I use for an entry-level VPS.

While the mod_rewrite module is not strictly relevant to optimizing concurrency, I've included it here as a reminder to install the module. It is an important module for running WordPress.

$ sudo a2enmod rewrite

Installing Event MPM

If you are already running the Event MPM, skip to the next section, 'Configuring Event MPM'. Otherwise, follow the procedure below.

Install the Event MPM.

$ sudo apt-get install apache2-mpm-event

Disable existing MPM.

Recall that only 1 of Prefork, Worker or Event MPM can be running at any given time. Therefore, if you were previously running Prefork or Worker, you must first disable it, and then enable Event.

To disable the Prefork MPM, run this command:

$ sudo a2dismod mpm_prefork

To disable the Worker MPM, run this:

$ sudo a2dismod mpm_worker

Enable the Event MPM.

$ sudo a2enmod mpm_event

Note that the above enable and disable commands are quite 'forgiving'. If you attempt to enable an MPM that is already enabled, or disable an MPM that is already disabled, it will simply return a harmless informational message.

Configuring Event MPM

To configure the Event MPM, modify its configuration file, /etc/apache2/mods-available/mpm_event.conf.
Before making any changes, back it up using the following command:

The above configuration is what I recommend for an entry-level VPS (512MB RAM, single-core). You need to adjust the parameters to satisfy your own system requirements. For a detailed explanation of the above parameters, click here. Note that the Event MPM shares the same parameters as the Worker MPM.

Installing PHP5 handler

To execute PHP code, Apache requires a PHP handler. PHP5-FPM is the PHP handler to use with the Event MPM.

For a new PHP installation, install php5-fpm followed by the meta-package php5.

$ sudo apt-get install php5-fpm php5

In addition to the above packages, I also installed other PHP5 packages which WordPress requires.
While they are not strictly relevant to optimizing concurrency, I've included them here for completeness.

$ sudo apt-get install php5-mysql php5-gd php5-curl

Configuring virtual host

Suppose your WordPress website has the domain name example.com. To set up a virtual host with that domain name, follow the steps below:

Create the Apache configuration file for example.com.

Instead of creating the file from scratch, use the default site as a template.

Installing FastCGI

Apache requires a FastCGI module to interface with the external PHP5-FPM processes.
You can use 1 of 2 FastCGI modules: mod_fastcgi and mod_fcgid.
Click here for a discussion of their differences.
This tutorial uses mod_fastcgi.

Before you install mod_fastcgi, you must:

Enable non-free.

Debian pre-packages the mod_fastcgi module in the non-free archive area of its repositories. Make sure that non-free is included in the /etc/apt/sources.list file.

Disable mod_php.

If Apache2 was previously installed with the Prefork MPM, most likely, it is configured to execute PHP using the mod_php module. In this case, you must disable the mod-php module before you install mod_fastcgi. Otherwise, the install will fail with the error message, 'Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.'

To disable mod_php, run this command:

$ sudo a2dismod php5

To install mod_fastcgi, execute the following command:

$ sudo apt-get install libapache2-mod-fastcgi

Configuring FastCGI

Back up configuration file.

Before you edit the configuration file /etc/apache2/mods-available/fastcgi.conf, back it up using the following command.

To access the website, you need to grant the proper permission explicitly using the Require all granted statement. Without it, access to the website will be denied with the error message 'You don't have permission to access /php5-fcgi/index.php on this server.'

Enable additional modules.

$ sudo a2enmod actions fastcgi alias

Restart Apache.

The final step is to restart Apache to make all the above changes go live.

$ sudo systemctl restart apache2

Threads in action

Concurrency for WordPress occurs at both the webserver (Apache2) and the PHP handler (PHP-FPM) levels. You can use the ps -efL command to monitor the processes and threads at either level.

To monitor Apache processes and threads, execute the following ps command.

Conclusion

When traffic to your website increases over time, your webserver must scale up to handle the increase in traffic. This tutorial explains how to configure Apache2 and PHP to optimize the number of concurrent connections. After you try it out, if you still find that your website cannot keep up with the traffic, you should consider upgrading your VPS plan to have more RAM.

Friday, October 30, 2015

Introduction

WordPress is the most popular content management system (CMS) on the planet today.
You can customize the look and feel of a WordPress website using third-party themes.
If you want a functionality not offered by the WordPress core, you will most likely find a third-party plugin that satisfies your requirement. With the plethora of themes and plugins comes a major challenge in assuring their quality. Intruders can potentially exploit the vulnerabilities in poorly designed themes and plugins to gain unauthorized access to a WordPress website.

WPScan is a WordPress vulnerability scanner that is free for non-commerical use.
It scans your WordPress website and reveals any known vulnerabilities in the installed plugins and themes.

The rest of this post explains how to install and run WPScan.

Installation

WPScan comes pre-installed on only a handful of lesser-known Linux distributions. If you run Debian, Ubuntu, Centos or Fedora, you must download the WPScan source and build it yourself. Because WPScan is written in Ruby, to build WPScan, you need to install the Ruby development environment.

Your first decision is to select a machine on which to build WPScan. This is the machine you use to launch WPScan later. Note that you can (and should) run WPScan on a different machine than the WordPress host. The examples in this post are based on a Debian 8.2 machine, aka Jessie.

Your next decision is how you will install the Ruby development environment, including the supporting development libraries.
The WPScan website outlines 2 ways to install the necessary development environment on a Debian server: the Debian package management system and the Ruby Version Manager(RVM).

RVM is the WPScan-recommended method. It allows you to install multiple, self-contained Ruby environments on the same system.
RVM puts a dedicated Ruby environment under your Home directory (e.g., /home/peter/.rvm). You can find the RVM procedure on the WPScan home page. I've followed the steps, and it works as advertised.

I opted instead for the Debian package manager method because it is a shorter procedure and I did not need the versatility (and the complexity) that RVM offers.

Below are the steps to install WPScan using the Debian package manager. The procedure is largely based on what is on the WPScan home page. I've added a couple of missing packages that are actually required.

Conclusion

WPScan is an important tool in your defense against possible attacks on your WordPress websites. It is recommended that you schedule WPScan to run regularly to detect known WordPress vulnerabilities. Yet, running WPScan is only half of your job. You remain vulnerable until you patch the vulnerabilities.

In general, the WordPress community fixes most known vulnerabilities and distributes the fixes quickly after the vulnerabilities are first reported. It is important that you keep your WordPress core and the third-party themes and plugins up-to-date. If your WordPress platform is up-to-date, WPScan will most likely return a clean report, and you can stop feeling vulnerable about your WordPress website.

Wednesday, July 29, 2015

This is part 3 of the series on using MySQLTuner to optimize MySQL database performance and stability. Part 1 explains how to install and run MySQLTuner. Part 2 addresses the area of database defragmentation. This post illustrates how to manage MySQL memory footprint.

MySQLTuner output

MySQLTuner was used to analyze a WordPress database deployed on the LAMP platform (Linux, Apache, MySQL, PHP). The host was a VPS server with only 512 MB of memory.

$ perl mysqltuner.pl

If you scroll down to the Recommendations section of the above report, it is hard to miss the eye-catching message:
'MySQL's maximum memory usage is dangerously high. Add RAM before increasing MySQL buffer variables.'

Indeed, adding more RAM is often the cheapest and simplest solution to out-of-memory problems. By spending an extra $5 per month, I can upgrade my VPS server to have 1 GB of RAM. But, before you go spend your hard-earned money on RAM, let's explore some other ways to reduce MySQL's memory footprint.

Maximum number of database connections

Lines that begin with two exclamation marks ('!!') are warnings. Note the following lines in the above Performance Metrics section:

According to the above warning, MySQL could potentially use up to 597.8 MB of RAM. Where did the number come from?

The number was derived from the preceding line. MySQL required 192MB globally and 2.7 MB per connection to the database. By default, the maximum number of connections was 150+1.
(The 151st connection would be restricted to database administration only.) Hence, the maximum memory usage was 192 + 150 * 2.7, equaling 597.

Should you allow for 150 connections? Keep in mind that each connection, even in the idle state, will take up some memory.
MySQLTuner can help you answer the question with confidence.

MySQLTuner reports the highest number of concurrent connections since the last MySQL restart (13 in the above example). The database should be up for a minimum of 24 hours before you run MySQLTuner. In fact, the longer the time elapses since the last restart, the more trustworthy is the statistic.

You can find out from the MySQLTuner report how long MySQL has been up. Go back to the first line under the Performance Metrics section. In the above example, MySQL had been up for 36 days since the last restart.

Although MySQL was configured for accepting 150 connections, the highest number of concurrent connections made in the past 36 days was only 13 (8% of the maximum). In light of that knowledge, we could lower the maximum number of connections allowed, therefore, reducing the total memory footprint for MySQL.

Before we go ahead to reconfigure MySQL, we will consider the wait-timeout threshold which affects how long idle connections stay alive before timing out.

Wait timeout

One of the General recommendations in the above example was:

'Your applications are not closing MySQL connections properly.'

In other words, database connections were opened but not properly closed after queries or updates were already completed.
These idle connections would hang around until a predefined timeout threshold was reached. The default timeout threshold was 8 hours. So, if a query completed in 2 seconds, but because the connection was not closed properly, the connection would live for another 28,798 seconds before timing out. In the meantime, the idle connections continued to consume resources including counting toward the maximum number of open connections.

The culprit was easily identified in the above case: the database was used exclusively for WordPress, an application written in PHP. However, solving the problem can be out of your reach, unless you are a PHP developer.

The good news is that you can reduce the timeout interval by adjusting a MySQL configuration parameter. By making idle connections time out faster, there will be less concurrent connections. For WordPress/PHP applications, I set the wait timeout to be 60 seconds.

It is also worth mentioning that because there are less idle connections due to quicker timeout, you can further reduce the maximum number of connections.

Re-configuring MySQL

To change the maximum number of connections or the wait timeout threshold, edit the MySQL configuration file as follows.

$ sudo vi /etc/mysql/my.cnf

The configuration variables of interest are max_connections, and wait_timeout. Enter a value for each variable using the following syntax:

max_connections = 50
wait_timeout = 60

For the above configuration changes to take effect, a restart of the MySQL daemon is needed.

For non-systemd systems, run the following command:

$ sudo service mysql restart

For systemd-enabled systems, run:

$ sudo systemctl restart mysql

Alternatively, you can dynamically change the configuration variables, thereby avoiding the database restart. To do that, issue the following commands.

Note that modifying the MySQL configuration file is still required if you want the changes to persist after future system restarts.

What's next?

MySQLTuner is not something you run once and forget about it. Your web traffic pattern changes over time. You should schedule to run it regularly and examine the output. Please refer back to Part 1 of this series for instructions on how to schedule a run.

The more knowledgeable you are about database optimization, the more effective you become on using the information provided by MySQLTuner. I recommend the following videos if you want to learn more about MySQL optimization: